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1. Introductions and apologies 


Led. There were apologies from the Commissioner who was 
unable to attend the meeting. Helen Heywood, the interim 
Head of Finance, was welcomed to this, her first Audit 
Committee meeting at the ICO. 


2. Declaration of interests 


2.1. There were no declarations of interest. 


3. Minutes and action points from the Audit Committee 
meeting of the 2 December 2013 


3L: The minutes of this meeting had been agreed in 
correspondence. They were presented for information. 


3.2. There was one action outstanding for Daniel Benjamin 
to feedback to this meeting on retrospective approval for 
expenditure covered by MOJ controls prior to the controls 
being followed by the ICO. This action had been cleared and 
the NAO agenda item (no 11) covered the matter. 


4. Director of Corporate Services update 


4.1. In the absence of the Commissioner this item was an 
opportunity for the Director of Corporate Services, Daniel 
Benjamin, to provide an update on issues affecting the office 
and his area of responsibilities. 


4.2. Matters raised by Daniel Benjamin included: 


4.2.1. The recent election for the chair of the Article 29 
Working Group. 


4.2.2. Project Eagle, the modified approach to handling data 
protection complaints and enquiries which would 
commence on 1 April. 


4.2.3. The recent and very successful Data Protection 
Practitioners’ Conference. For the first time the ICO had 
charged a fee for attendance. 


4.2.4. Recent press related seminars linked to the Leveson 
Inquiry and report. 


4.2.5. The ongoing discussions with the Ministry of Justice 
(MOJ) on changes to ICO funding. 


4.2.6. Expected year end outturn. 
4.2.7. Accommodation issues. 


4.2.8. MOJ expense controls and the practicalities of 
managing approval for expenditure. 


4.2.9. Recruitment of a permanent Head of Finance. 


Risk register 


4.3. Executive Team had discussed risk for the new financial 
year and had identified three in the areas of budgeting (for 
2015/16), succession planning and staff motivation. 


4.4. The budgeting risk was considered to be an area of 
uncertainty across government. The Committee were also 
concerned that existing mitigations were not reflected in an 
improving risk status. It felt that the ICO was doing much to 
mitigate the risk. 


4.5. The risk register was to come back to Executive Team 
shortly for consideration of mitigating actions and risk status, 
and a revised version would come to the April Management 
Board. Audit Committee views would be reflected. 


Action point 1: Peter Bloomfield to ensure that the risk 
register is discussed further at Executive Team and 
then Management Board in April. 


ICO Plan and Budget 


4.6. The draft ICO Plan 2014-2017 and draft 2014/15 
budget were also presented. Both were near finalisation. 


4.7. The ICO Plan was commended for providing the ICO 
with clear objectives for the three years ahead. 


4.8. Similarly presentation of the budget was liked. It was 
suggested, however, that having one indicator of efficiency 
would be useful. The ICO had cleared more work with 
reduced resources and if an overarching indicator could be 
constructed it would allow the ICO to demonstrate the totality 
of what had been done over the last few years in becoming 
more efficient. 


Action point 2: Daniel Benjamin to consider 
development of an overarching ICO efficiency 
indicator. 


5. Audit Committee annual report 


5.1. Peter Bloomfield presented a draft Audit Committee 
Annual Report for 2013/14. Elements will need to be updated 
at the next meeting in light of internal audit and external 
audit reports. 


5:2: Suggested amendments included reflecting the recent 
re-tendering of the internal audit function in the document, 
and the forthcoming change of Committee chair in June. 


Action point 3: Peter Bloomfield to revise the draft 
accordingly and to amend further as information firms 
up in the areas of audit reports etc, ensuring as near 
final a draft as possible comes to the June Audit 
Committee. 


6. Governance Statement 


6.1. Peter Bloomfield presented the draft Governance 
Statement for the Commissioner to make in the ICO’s Annual 
Report and Accounts for 2013/14. Again elements will need 
to be updated to reflect internal and external audit reports. 


6.2. The draft was liked by the Committee. There were 
concerns about how attendance at the Committee was 
reflected as one percentage figure, and a need for further 
consideration of references to risk was needed; especially in 
the areas of budgeting and staff motivation. 


6.3. A need to refer to the recent review of corporate 
governance in the section on Board effectiveness was also 
highlighted. 


Action point 4: Peter Bloomfield to revise the draft to 
reflect discussion and, together with the Commissioner, 
to ensure that as near a final a draft as possible comes 
to the June Audit Committee. 


7. Planning for the Annual Report and Accounts 


7.1. Peter Bloomfield alerted members and auditors to the 
timetable and template which would be used to develop the 
Annual Report and Accounts for 2013/14. There had been 
minor changes made since the timetable had been tabled; 
putting the deadline for internal contributions back slightly. 
This had no impact on the NAO or on laying dates. 


7.2. A change in approach this year was highlighted. The 
aim was to minimise the need for changes to the PDF version 
of the document; focus would be on getting the word version 
right. Doing so allowed time for substantive comments made 
at the June Audit Committee to be accommodated. 


8. Integrated assurance update 


8.1. Louise Byers and Lesley Bett attended to provide the 
Committee with an update on the integrated assurance 
project. The recent exercise had focused on information 
governance and financial controls. Returns had been received 
from all departments. Responses had been honest and 
thoughtful. The exercise had also helped support the concept 
of information asset ownership in the office. 


8.2. The results had been discussed at Leadership Group and 
examples of good practice shared. Lessons had also been 


learnt from differing interpretations of some of the questions 
asked which had affected scoring. It was also noted that 
there was not a wide difference between the results for 
operational and support areas of the office. 


8.3. A review in other areas was planned over the summer 
with the areas of information governance and financial 
controls being re-visited in the latter half of the year. 


8.4. There was substantive discussion on how best to take 
integrated assurance forward, and the links to internal audit. 
The work done did provide assurance to management and 
also highlighted areas for internal audit to consider. These 
links needed to be explored during 2014/15 with the aim of 
creating a fully integrated assurance model for 2015/16. 


Action point 5: Daniel Benjamin to discuss the work 
needed on creating a fully integrated assurance model 
with Grant Thornton. 


9. Outstanding audit recommendations 


9.1. The register of outstanding internal audit 
recommendations was provided for information. There are 
just two audit recommendations relating to raising awareness 
of business continuity and IT disaster recovery. Both were 
overdue. 


9.2. No recommendations had been added recently as 
recommendations were often cleared before the reports came 
to the committee. Reviews had also been back loaded 
towards the end of the year which had reduced the number 
of recommendations made. 


9.3. The IT disaster recovery test planned for December had 
not taken place. A test was now planned for April. Delays had 
arisen due to the IT re-procurement last year. Similarly a test 
of the ICO’s business continuity plan had not taken place due 
to resourcing issues. 


9.4. Whilst the Audit Committee noted the general 
improvement in clearing audit recommendations quickly, in 
these two cases there did need to be management 
commitment to clearing the outstanding recommendations 
soon and if possible by the end of April. 


Action point 6: Daniel Benjamin to seek to ensure that 
the two outstanding recommendations were cleared as 
soon as possible. 


10. Internal audit 


Internal audit progress report 


10.1. Grant Thornton presented their internal audit progress 
report. They would bring the outstanding internal audit 
reports to the June Committee meeting for consideration. 


Payroll and pensions review 


10.2. This review had considered the controls and processes 
within the ICO prior to sending information to the payroll and 
pensions provider. There had been one medium and one low 
risk recommendation, both of which had been actioned. 


Debit and credit card payments in ICE review 


10.3. During last year the ICO had begun to take card 
payments for notification fees. This review had focused on 
the internal processes and controls in place. There were two 
recommendations, one medium and one low risk. 


10.4. There were concerns that the management response to 
recommendation 1, relating to the reporting capabilities of 
the IT system, was more of an interim response. Grant 
Thornton would check the position during April. 


Action point 7: Howard Munson to review the status of 
the recommendation that all ICE functionality issues 
should be logged with the project team with resolution 
dates agreed, and to report back to Audit Committee in 
June. 


Governance and decision making review 


10.5. This review was advisory and had involved discussion 
with senior managers including some of the non-executives 
and the Commissioner. In light of the nature of the review it 
was recognised that tracking actions against the 
recommendations would be difficult in most cases. Grant 
Thornton therefore intended to re-visit the recommendations 
in a year or so and review progress. In addition including the 
recommendations within the annual self assessment of the 
ICO’s committees was proposed. 


10.6. The review had led to constructive recommendations, 
and reflected the maturity of corporate governance at the 
ICO. 


Action point 8: Howard Munson to schedule in re- 
visiting the recommendations in 2015/16. 


Action point 9: Peter Bloomfield to copy the review to 
all of the non-executives and to ensure discussion (as 


11. 


12. 


part of the Audit Committee update) at the next 
Management Board. 


Draft IT service management review 
10.7. The draft report was presented for information. It was 


noted that a finalised report would come to the next Audit 
Committee. 


Internal audit plan 2014/15 
10.8. Initial thoughts on areas for internal audit during 


2014/15 were presented. The Committee was disappointed 
that a full plan had not been provided and the ICO and Grant 
Thornton would seek to firm up a plan, before April if 
possible, and provide it to Audit Committee members for 
comments by correspondence. 


Action point 10: Daniel Benjamin to arrange for a draft 
internal audit plan to be circulated to Audit Committee 
members prior to the end of March if possible. 


External audit 


11.1. The NAO presented their audit progress report. 


Headlines from work to date included identification of two 
cases where an incorrect notification fee might have been 
paid; improvements to the management accounts process 
identified (including reporting on an accruals rather than cash 
basis), use of Government Procurement Cards (GPCs) to top 
up Oyster cards, and retrospective approval of MOJ financial 
controls. 


11.2. In respect of the use of GPCs to top up Oyster cards, it 


was noted that in doing so the ICO was following good 
procurement practice and there was a 100% check on card 
bills via line managers. 


11.3. The apportionment model would be reviewed as part of 


the final audit. 


Any other urgent business 


12.1. There was no other business. 


